On Thu, 2013-10-17 at 11:41 +0200, Eliad Peller wrote:
> > + do {
> > + wp = cfg80211_find_vendor_ie(0x0050F2, 2, start, len);
> > + start = wp;
> > + len -= wp[1];
> you might NULL deref here.
> but i don't really see how this calculation makes sense anyway (you
> should probably increase start and take care of the ie's id+len (i.e.
> wp[1] + 2) as well)?
Yeah, that loop was pretty bogus ...
while (true) {
wp = cfg80211_find_vendor_ie(
WLAN_OUI_MICROSOFT,
WLAN_OUI_TYPE_MICROSOFT_WMM,
start, len);
if (!wp)
break;
start = wp;
len -= wp[1] + 2;
/* if this IE is too short, try the next */
if (wp[1] <= 4)
continue;
/* if this IE is WMM params, we found what we wanted */
if (wp[6] == 1)
break;
}
is better, I think?
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
